MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15e1f4af0375906c314e3d460a185d55800a5e324917302d4db56225d5273075. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15e1f4af0375906c314e3d460a185d55800a5e324917302d4db56225d5273075
SHA3-384 hash: 1b255cf5d018f7e00032cb7da6fdbcc530151e0ec3de51bed721c03a3164f259d64b5a67603244f16798c764344919e9
SHA1 hash: 07ee789353a4ec64547b59218b1c002ec679a7c4
MD5 hash: 8856f7554b5340666719df0a98bb9331
humanhash: charlie-california-orange-arizona
File name:PO(S4674 Flow 1 2) - -EJ2152 - 2025.9.25.zip
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'058'490 bytes
First seen:2025-09-25 09:46:06 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 24576:mDabbQMqGyRsXlEyRTxpiwaUdqiAaGhuGRPDKYxGorfS5cWI:zbQMHqyjpZ1AlYWGsXr3WI
TLSH T1A53523F8D535FF1500A27B01114DE3D9E73ABF6016DD78EEBEB69E6840298ACA153630
Magika zip
Reporter cocaman
Tags:RemcosRAT zip


Avatar
cocaman
Malicious email (T1566.001)
From: ""Ngu Liew" <esme@eddiexie.com>" (likely spoofed)
Received: "from postfix-inbound-6.inbound.mailchannels.net (inbound-egress-10.mailchannels.net [23.83.212.2]) "
Date: "25 Sep 2025 02:44:47 -0700"
Subject: "New Order inquiry ( 25-09-2025 )"
Attachment: "PO(S4674 Flow 1+2) - -EJ2152 - 2025.9.25.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
CH CH
File Archive Information

This file archive contains 3 file(s), sorted by their relevance:

File name:32512
File size:20 bytes
SHA256 hash: 35961904c58751e408b0ce7b2c32606e5b291f17723d2e244cea814c396dcba3
MD5 hash: 115ee3977f79534476b8825094248dfe
MIME type:application/octet-stream
Signature RemcosRAT
File name:SHPMT ORDER HGH-PO25012 - PTWH SMS EL49.scr
File size:1'151'488 bytes
SHA256 hash: 184b60b719f2ef2425d6c7483c11bf6124e67a890fe14acf981b3429e6f56854
MD5 hash: 5515b2a1e61f448da9e045a8c5f2f568
MIME type:application/x-dosexec
Signature RemcosRAT
File name:42897527-1807.xlsx
File size:15'670 bytes
SHA256 hash: b7913c7bbfc24cc06ab944818131b856c80de8bf62ae33adc3f8a5156f36231a
MD5 hash: fb4327f5244cb842edfa4ef23636e09c
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Signature RemcosRAT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.77283214.19517.502.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Zip.SCR-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d5508fcc9425144151e1bf
Tags:
keylog spawn word
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap evasive lolbin masquerade msbuild obfuscated packed packed packed rat rat reconnaissance regsvcs remcos remcos rezer0 roboski schtasks stego vbc windows
Link:
https://www.filescan.io/uploads/68d50f7e74e5a2898992b50a/reports/1d1d63eb-169f-4f09-818c-0609cd329aeb/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/15e1f4af0375906c314e3d460a185d55800a5e324917302d4db56225d5273075
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/15e1f4af0375906c314e3d460a185d55800a5e324917302d4db56225d5273075
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Excel Macro Manipulates Hidden Sheets
Detected macro logic designed to hide a sheet within the current, or another spreadsheet. This technique is not necessarily indicative of malicious behavior as hidden sheets have legitimate uses.
Verdict:
Malicious
File Type:
zip
First seen:
2025-09-25T06:37:00Z UTC
Last seen:
2025-09-25T06:37:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/15e1f4af0375906c314e3d460a185d55800a5e324917302d4db56225d5273075/results?tab=lookup
Score:
84%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/15e1f4af0375906c314e3d460a185d55800a5e324917302d4db56225d5273075
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.25 Zip Archive
Link:
https://app.malva.re/file/8856f7554b5340666719df0a98bb9331
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15e1f4af0375906c314e3d460a185d55800a5e324917302d4db56225d5273075/
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-09-25 09:46:09 UTC
File Type:
Binary (Archive)
Extracted files:
25
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cxq7jlydowigymkohvdaugc5kwaauxrsjeltalknwvrclvjhgb2q._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos credential_access execution persistence rat stealer
Link:
https://tria.ge/reports/250925-ntabaagq7y/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/15e1f4af0375906c314e3d460a185d55800a5e324917302d4db56225d5273075

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:win32_dotnet_form_obfuscate
Create hunting rule
Author:Reedus0
Description:Rule for detecting .NET form obfuscate malware
Rule name:win32_dotnet_loader
Create hunting rule
Author:Reedus0
Description:Rule for detecting .NET loader malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip 15e1f4af0375906c314e3d460a185d55800a5e324917302d4db56225d5273075

(this sample)

RemcosRAT

Executable exe 184b60b719f2ef2425d6c7483c11bf6124e67a890fe14acf981b3429e6f56854

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 184b60b719f2ef2425d6c7483c11bf6124e67a890fe14acf981b3429e6f56854
  
Dropping
SHA256 b7913c7bbfc24cc06ab944818131b856c80de8bf62ae33adc3f8a5156f36231a
  
Dropping
MD5 5515b2a1e61f448da9e045a8c5f2f568
  
Dropping
MD5 fb4327f5244cb842edfa4ef23636e09c

Comments